By default PostgreSQL will store data on disk in its standard format. However, in many cases business or legal requirements require data to on disk be encrypted.
On disk-encryption was paid for by German industry and is a classical case showing how business and Open Source can coexist. This talk shows, that it can be actually cheaper to implement a feature into an Open Source product than to license a commercial product such as Oracle, DB2, Informix, or MS SQL Server.
Open Source can make a valuable contribution to save costs for everybody.
5. Cybertec Schönig & Schönig GmbH
24x7 support for PostgreSQL
PostgreSQL training
PostgreSQL consulting
Hans-Jürgen Schönig
www.postgresql-support.de
6. Get more out of PostgreSQL
Hans-Jürgen Schönig
www.postgresql-support.de
7. PostgreSQL features
PostgreSQL provides many features
Many “Enterprise” features are available
e.g. replication, analytics, etc.
Hans-Jürgen Schönig
www.postgresql-support.de
8. Missing stuff
Nothing is feature complete
Once in a while everybody finds missing parts
Hans-Jürgen Schönig
www.postgresql-support.de
9. Sponsoring vs. licensing
Remember, PostgreSQL is Open Source
Sponsoring a feature is often cheaper than buying commercial
licenses
No need to chain yourself to a commercial vendor
Hans-Jürgen Schönig
www.postgresql-support.de
11. Specific customer requirements
Customer could only provide encryption based on expensive
commercial software
Encryption is needed to fulfill legal and internal requirements
Hans-Jürgen Schönig
www.postgresql-support.de
12. Making it work
Implement highly optimized code to handle encryption on the
block level in PostgreSQL
Totally transparent to the end user
Keys can be stored in a key store of your choice
Hans-Jürgen Schönig
www.postgresql-support.de
13. What it does
We encrypt:
Tables
Indexes
Temporary files
Full WAL encryption
Commit Log (clog)
More stuff: Subtransaction directories, MultiXact . . .
What we do not encrypt (yet):
pg_stat_statements, logical replication buffers, control data (on
purpose)
Hans-Jürgen Schönig
www.postgresql-support.de
14. Encryption technology
Extensible mechanism
Included in pgcrypto: AES-XTS 128
Future versions will use Intel hardware support
Current prototype does 4 GB / sec per core !
Hans-Jürgen Schönig
www.postgresql-support.de
15. Good news
We all got encryption now
Not yet in core but available to end users already with full
professional support
Patch on hackers
Anybody willing to feedback?
Hans-Jürgen Schönig
www.postgresql-support.de
16. Commercial success
Writing code + integrating was cheaper than just integrating
commercial stuff
Makes sense for everybody
Customer
Community
Hans-Jürgen Schönig
www.postgresql-support.de
17. What we learn from this
Have the guts and the conviction to do what is right
Think for yourself
Find solutions to YOUR problems
Do not change your requirements just because some commercial
vendor forces you to do so
Benefit from Open Source
Invest wisely
Hans-Jürgen Schönig
www.postgresql-support.de
18. Where can we get the code?
Our website has the code:
http://www.cybertec.at/en/products/postgresql-instance-
level-encryption/
It is under PostgreSQL license
Hans-Jürgen Schönig
www.postgresql-support.de